
United States Patent and Trademark Office 



UNITED STATES DEPARTMENT OF COMMERCE 
United States Patent and Trademark Office 
Address: COMMISSIONER FOR PATENTS 
P.O. Box 1450 

Alexandria, Virginia 223 1 3- 1 450 
www.uspto.gov 



APPLICATION NO. 


FILING DATE 


FIRST NAMED INVENTOR 


ATTORNEY DOCKET NO. 


CONFIRMATION NO. 


09/747,770 


12/22/2000 


Ron J. Vandergeest 


10500.00.8171 


4395 



23418 7590 12/12/2007 

VEDDER PRICE KAUFMAN & KAMMHOLZ 
222 N. LASALLE STREET 
CHICAGO, IL 60601 



EXAMINER 



LANIER, BENJAMIN E 



ART UNIT 



2132 



PAPER NUMBER 



MAIL DATE 



DELIVERY MODE 



12/12/2007 PAPER 

Please find below and/or attached an Office communication concerning this application or proceeding. 

The time period for reply, if any, is set in the attached communication. 



PTOL-90A (Rev. 04/07) 



Office Action Summary 


Application No. 

09/747,770 


Applicant(s) 
VANDERGEEST ET AL. 


examiner 

Benjamin E. Lanier 


Art Unit 

2132 





The MAILING DATE of this communication appears on the cover sheet with the correspondence address 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 . 1 36(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term'adjustment. See 37 CFR 1.704(b). 

Status 

1)S Responsive to communication(s) filed on 19 November 2007 1 
2a)S This action is FINAL. 2b)D This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G, 213. 

Disposition of Claims 

4) ^3 Claim(s) 1-31 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) IEI Claim(s) 27-31 is/are allowed. 

6) E>0 Claim(s) 1-26 is/are rejected. 

7) 0 Glaim(s) is/are objected to. 

8) Q Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10)D The drawing(s) filed on is/are: a)D accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 

Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 
1 !)□ The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12)D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 19(a)-(d) or (f). 
a)D All b)D Some * c)Q None of: 

1.D Certified copies of the priority documents have been received. 

2.0 Certified copies of the priority documents have been received in Application No. . 

3.Q Copies of the certified copies of the priority documents have been received in this National Stage 
application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 



Attachment(s) 

1) □ Notice of References Cited (PTO-892) 

2) LD Notice of Draftsperson's Patent Drawing Review (PTO-948) 

3) O Information Disclosure Statement(s) (PTO/SB/08) 

Paper No(s)/Mail Date , 



4) O Interview Summary (PTO-413) 

Paper No(s)/Mail Date. . 

5) O Notice of Informal Patent Application 

6) □ Other: , 



U.S. Patent and Trademark Office 
PTOL-326 (Rev. 08-06) 



Office Action Summary 



Part of Paper No./Mail Date 20070808 



Application/Control Number: Page 2 

09/747,770 

Art Unit: 2132 

DETAILED ACTION 
Response to Arguments 

1 . Applicant argues, "the office action does not indicate how Shi discloses using the user 
identification data that has been received by an authentication unit, and sent by the first unit, to 
determine which destination unit, other than the first unit , receives an authentication code to be 
used to authenticate the user." This argument is not persuasive because the Office Action mailed 
17 August 2007, details on pages 3-4 how Shi meets the claim limitation in question. Shi 
discloses that the web server (claimed first unit) sends the user id and password (claimed user 
identification data) to the session manager (claimed authentication unit) for authentication using 
the DCE security service (Col. 6, lines 27-47 & Col. 8, lines 35-47). If user- authentication is 
successful a unique id (claimed authentication code) is created for the user (Col. 8, lines 55-58). 
A cookie that includes the unique id is sent to the user (claimed destination unit) (Col. 8, lines 
61-63). Shit meets the claim limitation because the user id and password information ultimately 
identifies where the generated cookie with unique id information will be transmitted upon 
successful authentication. 

2. Applicant argues, "the cited portions of column 6 and column 8 do not refer to sending an 
authentication code to a determined destination unit that is other than the first unit since the 
office action indicates that the unique ID is sent back to the client browser which is then 
provided to the session manager which is alleged to be the authentication unit." This argument is 
not" persuasive because the Office Action never relies on the client as the claimed first unit, but 
instead relies on the web server as the claimed first unit. The client of Shi is actually the claimed 
"destination unit that is other than the first unit," which clearly meets the claim limitation 
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because the client is not the web server. Additionally, as admitted by Applicant, the client 
provides the unique ID back to the session manager, and therefore, Shi meets the limitation of 
receiving a returned authentication code back after sending the authentication code. 

3. Applicant argues, "it is admitted that McCann does not disclose this either since it 
indicates that McCann discloses obtaining and storing the IP address of a client for the duration 
of the communication." This argument is not persuasive because this argument is directed from 
the belief that the client of Shi is relied upon to be the claimed first unit, which is not the case. 
Therefore, as mentioned above, obtaining and storing the ID address of a client for the duration 
of the communication such that the generated unique ID can be transmitted to the client using the 
stored ID address, meets the claim limitation because the client of Shi is relied upon to meet the 
claimed destination unit that is other than the first unit. 

4. Applicant argues, "It is alleged that the Shi reference teaches all of the limitations of 
claim 10 except Shi does not specify that the communication environment is wireless. Applicants 
respectfully submit that this characterization of the claims is improper since there is specific 
wireless communication and specific channels and data that are required in the claim to facilitate 
operation. The office action does not address specific claim language and as such, the rejection is 
improper. For example, the method requires a primary wireless channel, a wireless back channel, 
and sending specific authentication code information and other information on specific 
channels." This argument is not persuasive because Rahman discloses (Col. 10, lines 4-46) that 
session setup data are transmitted to the wireless device over the reverse circuit switch link (i.e. 
wireless back channel) and once the session is established communication occurs over the 
forward circuit switched link (i.e. primary wireless channel). When modified as proposed the 
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cookie containing the generated unique id would be considered the session setup data and would 
therefore be transferred over the reverse circuit switch link while actual session communications 
would be conducted over the forward circuit switched link. It would have been obvious to one of 
ordinary skill in the art at the time the invention was made to implement the web server user 
authentication system of Shi in a wireless environment because wireless networks take advantage 
of the inherently bursty and delay-tolerant nature of data traffic to make efficient use of wireless 
resources as taught by Rahman (Col. 2, lines 37-41). 

Claim Rejections - 35 USC §102 

5. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public use or on 
sale in this country, more than one year prior to the date of application for patent in the United States. 

6. Claims 1; 2, 4, 6, 7, 17, 18 are rejected under 35 U.S.C. 102(b) as being anticipated by 
Shi, U.S. Patent No. 5,875,296. Referring to claims 1,6, 17, Shi discloses a web server user 
authentication system with cookies wherein a user provides a user id and password to a web 
server (Col. 8, lines 32-34). The web server sends the user id and password to the session 
manager for authentication using the DCE security service (Col. 6, lines 27-47 & Col. 8, lines 
35-47), which meets the limitation of sending, by a first unit, user identification data to an 
authentication unit. If user authentication is successful a unique id is created for the user (Col. 8, 
lines 55-58), which meets the limitation of an authentication code. A cookie that includes the 
unique id is sent to the user (Col. 8, lines 61-63), which meets the limitation of using, user 
identification data, sent by the first unit to determine which destination unit will receive an 
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authentication code to be used to authenticate the user, and sending the authentication code to 
determine destination unit based on the user identification data because the web server knows 
which user terminal to transmit the created unique id based upon the previous user id and 
password that was previously submitted. On subsequent requests for service from the user, the 
unique id within the cookie, is used as a pointer to the user's credentials in a credential database 
accessed by the session manager (Col. 6, lines 38-43 & Col. 8, line 66 - Col. 9, line 8), which 
meets the limitation of returning the authentication code to the authentication unit, and 
authenticating the user when the returned authentication code matches the sent authentication 
code. 

Referring to claims 2, 7, 18, Shi discloses that the unique id is session based (Col. 3, lines 
8-12), which meets the limitation of the step of generating the authentication code on a per 
authentication session basis and sending the authentication code to the determined destination 
unit in response to the generated authentication code. 

Referring to claim 4 5 Shi discloses that on subsequent requests for service from the user, 
the unique id within the cookie, is used as a pointer to the user's credentials in a credential 
database accessed by the session manager (Col. 6, lines 38-43 & Col. 8, line 66 - Col. 9, line 8), 
which meets the limitation of the step of receiving user input in response to the step of sending 
the authentication code and waiting to return the authentication code to the authentication unit 
until receipt of the user input. 

Claim Rejections - 35 USC § 103 
7. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 
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(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 



8. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 
(1966), that are applied for establishing a background for determining obviousness under 35 
U.S.C. 103(a) are summarized as follows: 



9. Claims 3, 8, 19 are rejected under 35 U.S.C. 103(a) as being unpatentable over Shi, U.S. 
Patent No. 5,875,296, in view of McCann, U.S. Patent No. 6,052,725. Referring to claims 3, 8, 
19, Shi discloses that the web server transmits a generated unique id to the same client which 
requests services (Col. 8, lines 61-63). Shi does not disclose what client information is 
maintained allowing the unique id to be transmitted to the same client which requested services. 
One of ordinary skill in the art would understand that this could be accomplished by obtaining 
and storing the IP address of the client. McCann discloses obtaining and storing the IP address of 
a client for the duration of a communication session with an IP network (Abstract), which meets 
the limitation of maintaining per user destination unit data including at least one destination unit 
identifier per user and wherein the step of using the user identification data to determine which 
destination unit will receive the authentication code includes sending the authentication code to 
the determined destination unit based on the stored per user destination unit identifier. It would 
have been obvious to one of ordinary skill in the art at the time the invention was made for the 
session manager associated with the web server of Shi to obtain and store the IP address of the 



1. 
2. 
3. 
4. 



Determining the scope and contents of the prior art. 

Ascertaining the differences between the prior art and the claims at issue. 

Resolving the level of ordinary skill in the pertinent art. 

Considering objective evidence present in the application indicating obviousness 
or nonobviousness. 



Application/Control Number: Page 7 

09/747,770 

Art Unit: 2132 

client in association with the user id/unique id in order to provide reduced response time as 
taught by McCann (Col. 1, lines 61-63). 

10. Claims 5, 9, 20 are rejected under 35 U.S.C. 103(a) as being unpatentable over Shi, U.S. 
Patent No. 5,875,296, in view of Schneier, Applied Cryptography. Referring to claims 5, 9, 20, 
Shi does not disclose that the cookie is digitally signed prior to being authenticated by the 
session manager. It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to digitally sign the cookie of Shi in order to verify the source of the cookie 
as a valid source as taught by Schneier (Pages 35-36). 

11. Claims 10, 11, 13, 16, 21, 22, 24 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Shi, U.S. Patent No. 5,875,296, in view of Rahman, U.S. Patent No. 
7,218,630. Referring to claims 10, 21, Shi discloses a web server user authentication system with 
cookies wherein a user provides a user id and password to a web server (Col. 8, lines 32-34). The 
web server sends the user id and password to the session manager for authentication using the 
DCE security service (Col. 6, lines 27-47 & Col. 8, lines 35-47), which meets the limitation of 
sending primary authentication information by a primary authentication information provider to 
an authentication unit during a session. If user authentication is successful a unique id is created 
for the user (Col. 8, lines 55-58), which meets the limitation of an authentication code. A cookie 
that includes the unique id is sent to the user (Col. 8, lines 61-63), which meets the limitation of 
using the primary authentication information to determine which destination unit will receive an 
authentication code as secondary authentication information to be used to authenticate the user, 
and sending the authentication code to the destination unit based on the primary authentication 
information during the same session because the web server knows which user terminal to 
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transmit the created unique id based upon the previous user id and password that was previously 
submitted. On subsequent requests for service from the user, the unique id within the cookie, is 
used as a pointer to the user's credentials in a credential database accessed by the session 
manager (Col. 6, lines 38-43 & Col. 8, line 66 - Col. 9, line 8), which meets the limitation of 
returning the authentication code to the authentication unit during the same session, and 
authenticating the user when the returned authentication code matches the sent authentication 
code. Shi does not specify that the communication environment is wireless. It would have been 
obvious to one of ordinary skill in the art at the time the invention was made to implement the 
web server user authentication system of Shi in a wireless environment because wireless 
networks take advantage of the inherently bursty and delay-tolerant nature of data traffic to make 
efficient use of wireless resources as taught by Rahman (Col. 2, lines 37-41). 

Referring to claims 1 1, 22, Shi discloses that the unique id is session based (Col. 3, lines 
8-12), which meets the limitation of the step of generating the authentication code on a per 
authentication session basis and sending the authentication code to the determined destination 
unit in response to the generated authentication code. 

Referring to claims 13, 24, Shi discloses that on subsequent requests for service from the 
user, the unique id within the cookie, is used as a pointer to the user's credentials in a credential 
database accessed by the session manager (Col. 6, lines 38-43 & Col. 8, line 66 - Col. 9, line 8), 
which meets the limitation of the step of receiving user input in response to the step of sending 
the authentication code and waiting to return the authentication code to the authentication unit 
until receipt of the user input. 
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Referring to claim 16, Shi discloses that the web server sends the user id and password to 
the session manager for authentication using the DCE security service (Col. 6, lines 27-47 & Col. 
8 5 lines 35-47). If user authentication is successful a unique id is created for the user (Col. 8, 
lines 55-58), which meets the limitation of validating the primary authentication information. 
12. Claims 12, 23 are rejected under 35 U.S.C. 103(a) as being unpatentable over Shi, U.S. 
Patent No. 5,875,296, in view of Rahman, U.S. Patent No. 7,218,630 as applied to claim 10, 21 
above, and further in view of McCann, U.S. Patent No. 6,052,725. Referring to claims 12, 23, 
Shi discloses that the web server transmits a generated unique id to the same client which 
requests services (Col. 8, lines 61-63). McCann does not disclose what client information is 
maintained allowing the unique id to be transmitted to the same client which requested services. 
One of ordinary skill in the art would understand that this could be accomplished by obtaining 
and storing the IP address of the client. McCann discloses obtaining and storing the IP address of 
a client for the duration of a communication session with an IP network (Abstract), which meets 
the limitation of maintaining per user destination unit data including at least one destination unit 
identifier per user and wherein the step of using the user identification data to determine which 
destination unit will receive the authentication code includes sending the authentication code to 
the determined destination unit based on the stored per user destination unit identifier. It would 
have been obvious to one of ordinary skill in the art at the time the invention was made for the 
session manager associated with the web server of Shi to obtain and store the IP address of the 
client in association with the user id/unique id in order to provide reduced response time as 
taught by McCann (Col. 1, lines 61-63). 
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13. Claims 14, 25 are rejected under 35 U.S.C. 103(a) as being unpatentable over Shi, U.S. 
Patent No. 5,875,296, in view of Rahman, U.S. Patent No. 7,218,630 as applied to claims 10, 21 
above, and further in view of Schneier. Referring to claims 14, 25, Shi does not disclose that the 
cookie is digitally signed prior to being authenticated by the session manager. It would have been 
obvious to one of ordinary skill in the art at the time the invention was made to digitally sign the 
cookie of Shi in order to verify the source of the cookie as a valid source as taught by Schneier 
(Pages 35-36). 

14. Claims 15, 26 are rejected under 35 U.S.C. 103(a) as being unpatentable over Shi, U.S. 
Patent No. 5,875,296, in view of Rahman, U.S. Patent No. 7,218,630 as applied to claims 10, 21 
above, and further in view of Lewis, U.S. Patent No. 6,738,635. Referring to claims 15, 26, Shi 
does not specify that the communication environment is wireless. Rahman discloses a wireless 
environment, but not SMS. It would have been obvious to one of ordinary skill in the art at the 
time the invention was made to use an SMS wireless channel in the web server user 
authentication system of Shi because SMS enables communications to be distributed to mobile 
units at a specified time as taught by Lewis (Col. 11, lines 48-65). 

Allowable Subject Matter 

15. Claims 27-31 are allowed. 

Conclusion 

16. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 . 1 36(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
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MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the mailing 
date of this final action. 

17. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Benjamin E. Lanier whose telephone number is 571-272-3805. 
The examiner can normally be reached on M-Th 6:00am-4:30pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on 571-272-3799. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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